Quantcast

How My Botnet Defeated the Russian Hackers 2: The Car-Purchasing Bot

Michael Schrenk now dwells on the actual bot design that enabled his client to outperform competitors in terms of buying the best used cars online.

Great chance but hardly doable

Great chance but hardly doable

So, a car dealer came to me; he had a great opportunity, found a wonderful website that was part of the national franchise. They were getting in used rental cars, two years old, 12-16 thousand miles, well maintained – perfect cars that you’d want to have on your lot. Unfortunately, there’s a lot of competition for these cars because all the people in that dealership chain wanted the same cars, and the website was horrible and made it almost impossible to buy the cars. So there was a lot of frustration.

Problem #1

Problem #1

This is kind of the way it worked. There would be maybe 200-300 cars presented every day, and the cars would have little display ads like this (see left-hand image) that gave a little bit of a description. And there was an inactive “Buy Now!” button. At exactly sale time, the button would appear. But the problem with this was it wasn’t using AJAX or anything, so you had to physically sit and refresh the browser constantly to get that button to appear.

Problem #2

Problem #2

Well, this led to another problem: there was an incredible server lag (see right-hand image). My client – and I think he was probably pretty typical of all of them in this chain – he would grab every person he could find, people out of parts, out of the sales floor, administrator assistants, and sat them all in front of computers. Each one of them was assigned maybe about six cars, so they’d have six browser windows open, and they’re all sitting there frantically hitting Refresh button constantly.

Lots of continuous downloads

Lots of continuous downloads

So, if you think about this, this would be roughly the equivalent of 36 users for this one dealership. I don’t know, maybe there were 750 dealers that were doing this. So, that was almost 30 thousand simultaneous downloads that were happening at sale time (see left-hand image). Servers should be able to handle it, right?

Server lag peaking

Server lag peaking

But I think there was some inefficiency with the database possibly, some bad queries were being made, and this caused a ridiculous peak in server lag time right at the point where you don’t want to have it (see right-hand image). It wouldn’t be unusual for it to take 15 or 30 seconds for the screen to refresh at sale time. Sometimes it would just time out. So, this was a real problem.

Problem #3

Problem #3

The other problem is that out of these, say, 200 cars that were up for sale every day, there were maybe five that every single dealership in the country wanted, either because they were the right color, probably because they were a really great price, or for whatever reason, I don’t know. But every dealership would want these five cars, so you’d have a lot of competition for the same cars. Plus server lag, bad web design, you had to involve a lot of people to do this.

Key problems to solve

Key problems to solve

So, this particular client – I had written a number of bots for him in the past – gave me a call and said: “Can you help me out Mike?” I said: “Let’s take a look.” The system was way too manual, to begin with. So, the way this would work was he would have to manually go and select the cars that he wanted to buy; he’d have to distribute the VIN numbers to the various people; he’d have to call people in off of their normal duties that they would be doing; they’d be dedicating probably a good 15-20 minutes hitting the Refresh button every day. So, that wasn’t good, plus the Buy button took way too long to appear because of the server lag. We ended up with two solutions: one of them because it worked; the second one because we had competition.

The four HTML frames

The four HTML frames

So, let’s look at phase one first here (see left-hand image). And, again, this is not classic bot design. And keep in mind this was done some six years ago, I don’t develop like this anymore. Okay, so here’s what I did. I came up with a web interface for my client, and if you look here this is basically just four HTML frames that were independent from each other. By the way, I say “botnet” but this was all done on computers that we owned, so there’s a difference. In fact, all of the bots that I write are all commercial bots, we own all the hardware; I just wanted to let you guys know that. So, instead of hauling in all these people that hit the Refresh button constantly while they should be doing something else, my client was able to pull up something like this. And quite frequently he would have two or three computers set up with this in the browser, and he would select what cars he wanted.

The authentication phase

The authentication phase

The first step was to log on (see right-hand image). It was a closed sale basically, and they had several accounts they could use, so the first thing they would do is they would pick which account they wanted to use for this particular bot.

VIN validation

VIN validation

And the next step was you would pick the VIN number of the car you wanted (see left-hand image), and it would go ahead and validate that that was an actual car for sale. That’s important because anytime you’re writing a bot you don’t want to do something that could not possibly be done by a human. And if there’s a car that is not available for sale you don’t want to try to buy that, because some system admin somewhere is going to say: “How do they do that?! What is that IP address? They’re generating a lot of traffic!” So it’s important to validate stuff like that.

Synchronized clocks

Synchronized clocks

So, as soon as the VIN was validated, a little Start button would appear. Instead of being right on time when the sale was, you could do this hours in advance, hit the Start button, and then it would start to count down. The way it would do this is it was basically synchronizing its clock with the server clock of the sale server, and this is really simple stuff (see right-hand image). In the HTML meta refresh, it would just start refreshing every so often. As the sale got closer and closer, it would refresh more often until right at the end it was like lockstep with the server clock. And as soon as it timed out, it would go ahead and it would attempt to purchase the car. Now, this shows just one bot client. Basically, the bot clients acted as triggers for the server that actually made the purchase. There may have been 16-30 of these running, triggering the server.

Successful purchase

Successful purchase

Sometimes we’d miss one. But more often the sale was successful (see left-hand image), and we would send an email confirmation to my client saying: “You bought this car!” And we would also arrange for financing for him. While we were at it, we’d make sure that the car actually was shipped correctly back to his dealership. So the bot provided a lot of utility in that regard.

Success rate

Success rate

How successful were we? Well, before, he wasn’t getting anything, and this was really frustrating for him because these were cars he really wanted and he knew he could make a profit out of them, given the price they were selling for. After, we were getting probably 95%-97% of the cars he was trying to buy. So, the difference was phenomenal. It was so much fun, because even after I was done developing this I would get a call every day from my client 15-20 minutes after the sale, and he would say: “Mike, we bought five out of six today!”, “We got seven out of seven!”, “We got nine out of twelve!” And I was like: “Settle down, don’t get greedy here. Don’t kill the golden goose.”

Reasons for initial success

Reasons for initial success

So, why were we successful at this? The main problem with the old one is that people had to wait for that stupid “Refresh” button or that “Buy Now!” button to happen. And there was so much server lag that that was a problem. And usually, whoever got the Buy button first was the person that bought the car (see left-hand image).

The timer worked wonders

The timer worked wonders

So, basically, what we did is we got rid of the Buy button. We just got rid of it, and we replaced it with a timer that was automated so you didn’t need that person hitting Refresh all the time (see right-hand image). And it would just know what time to buy the car and it would go ahead and buy it. This type of a bot is typically called a “sniper”. I remember back in the day when I was doing this, we were testing and I was going to write in an email that said something to the effect of “I’ve got six “snipers” waiting to hit cars at noon; hopefully we’ll make some hits today”, or “I’ll have some kills” or something like that. And I was just about ready to send that email and I started thinking about Carnivore and some of the stuff that was happening back then, and I thought: “Nah, I’ll just give him a call…” Today I would never send an email like that; I’m not even sure I’d make a phone call. So, yeah, watch your language.
 

Read previous: How My Botnet Defeated the Russian Hackers: Screwing with the System

Read next: How My Botnet Defeated the Russian Hackers 3: Beating a Competing Bot

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: